How to Talk About EASM to the C-Suite

It’s always the case in nearly every organisation that getting teams to talk can run into issues every now and then. In the case of CISOs and the C-Suite this is nothing new. When it comes to today’s cybersecurity threats, being prepared and being able to get buy-in from people on the board level is business critical.

C-Suite executives are busy keeping track of staff, profits, projects and ensuring the smooth running of the organisation. However, so are CISOs, and getting people to talk needs to be a priority.

When it comes to External Attack Surface Management, the C-Suite needs to be better prepared. It is mainly humans and their interactions with systems that can cause the biggest security issues.

In this article, we will look at the challenges for CISOs and the C-Suite, EASM and the C-Suite, and how to talk about EASM with the C-Suite.

Challenges for CISOs and the C-Suite

There have been many challenges over recent years between the CISOs and the C-Suite team, the biggest being business readiness in the face of a global pandemic. The shift of people working from home and the challenges this brings to the cybersecurity teams cannot be understated.

There have been numerous reported cases of weakened cybersecurity systems because of this shift in working patterns, and the increased vulnerability to expanding external attack surfaces has been noted by many CISO teams around the world.

This is why the need to gain the C-Suite’s trust and buy-in, in order to effectively deal with ever-increasing security threats is a challenge for CISOs.

With the emergence of EASM (External Attack Surface Management) as one of the new cybersecurity concerns, CISOs have to think differently about how they get C-Suite buy-in. Particularly, CISOs need to think about:

  • CISOs need to understand C-Suite and business priorities.
  • CISOs need to clearly communicate what’s needed – so that C-Suite executives understand.
  • C-Suite don’t always fully understand complex technical presentations.
  • C-Suite are sometimes not up-to-date in their understanding of evolving cyber threats and risks to their businesses.
  • C-Suite might focus on the wrong metrics or data when considering cybersecurity.

EASM and the C-Suite

It’s no wonder that with anything technological, things move fast in cybersecurity. EASM as recently referred to the consultant firm Gartner is the new major security threat.

An External Attack Surface (EAS) also known as a digital attack surface, is the sum of an organisation’s internet-facing assets; and the associated attack vectors which can be exploited during an attack. Every public-facing asset your customers and employees access when interacting with your company online, whether owned and managed by your organisation or by a third party, makes up your online ecosystem. This represents your organisation’s external attack surface.

It’s no wonder that many organisations are completely unaware of how expansive their external attack surfaces are. You have to consider that external attack surfaces are primarily user-based – where misconfigurations between downloaded software, new apps or tech and even where information is being accessed, can cause larger security threats.

This is why it is important that organisations are implementing and using EASM effectively. However, one of the biggest challenges is getting CISOs to communicate the use of EASM with urgency to the C-Suite. This is something that must be resolved internally within the organisation in order to ensure protection from cyber attacks.

Therefore, the need to get cybersecurity buy-in from the C-Suite – specifically to support EASM is a business necessity.

How to Talk About EASM with C-Suite and the Board

Getting the CISOs to talk about EASM with the C-Suite and the Board is essential as highlighted in the previous section. But how does the CISO get to discuss this new hot topic in cybersecurity, without either alienating a busy Board or even the main decision makers?

So what do CISOs need to remember before discussing EASM to the C-Suite?

  • CISOs need to move beyond the technical aspects of their role to understand the C-Suite priorities and assist with the overall organisation’s strategy.
  • CISOs need to gain trust from the Board
  • C-Suite/Board needs to understand what the CISO is asking for and what’s required from them (the Board).
  • In many organisations the Board/Executive Management Team has no comprehensive understanding of information security, to fully evaluate cyber risks and preventive measures, proposed by CISOs.

There are some specific things that CISOs can do to make the process of communication easier with the C-Suite, this includes:

Know Your Audience

It can always be intimidating for non-technical minds to have technical discussions with technical people. Knowing your audience is essential, and CISOs need to be familiar with who they are talking to/communicating with, and what their respective priorities might be.

By knowing the target audience (their technical familiarity, favoured communication styles, priorities etc.) presentations and messages can be more effective and elicit trust.

CISOs may want to start by getting an understanding of the individuals knowledge of EASM, and then tailoring their explanations to that audience.

Use Business Terminology

One of the fears for many non-technical people is jargon. Jargon can isolate audiences more than it can bring people together, and CISOs have a bit of a reputation for using jargon in their presentations and even general discussions. This must be avoided at all costs – especially if you’re trying to get buy-in from individuals who have the power to approve changes.

Another important aspect of communication in this instance, is the need to fully understand relevant metrics and how they relate to the business and bottom-line. Communicate these with C-Suite and the Board using language they are familiar with.

Boards are more likely to respond to risk, and the need to show a return on their cybersecurity investment. There is a need for consistency and clarity without being over-complex.

Cite Relevant Security Breach Examples

One of the best ways to communicate with busy people is to talk about case studies of other busy people. What we mean is, discussing the issues faced by other businesses, can put the C-Suite in a better position to understand the potential impact of what could happen to their own business if they are not prepared.

This is a really good way of conveying the importance of EASM without having to over-sell. If a competitor or a business that is admired by the C-Suite has been affected by the cybersecurity challenges from EASM, it’s better to get the C-Suite to see it from a business perspective.

Another potential way to add to this strategy is to talk about the cost impact of security breaches. This can help in persuading C-Suite/Board to allocate an adequate security budget.

Finally, thanks to the ever-increasing use of personal devices and the move to WFH, explaining the risks involved in not paying adequate attention to EASM, is a strategy that can reap benefits for getting organisational approval.

Clearly Describe What’s Required

When discussing these measures, it’s important to be very clear about what it is you want to achieve, what you are asking for, and what to expect from the C-Suite/Board. Without clarity, the C-Suite can ignore the requests, as they are aware of the issue but have nothing to guide them to a solution that can help them.

For example, a complex EASM objective can be broken down into prioritised requirements. Those which have the greatest impact being the highest priority. The lower the priority, the less attention it should be given in any discussion.

Discuss the benefits of making these changes, and relate any specific requirements with the metrics that will be affected; e.g. risk levels or automation saving time etc.

In Conclusion

It would be an understatement to say that CISOs and the C-Suite have found it easy to communicate when it comes business requirements, especially in cybersecurity over the last couple of years. With a greater push to work from home for many businesses, getting CISOs and the C-Suite to have better communication is a business necessity.

With the emergence of EASM tools to help protect businesses from cyber attacks, CISOs must be able to better communicate the benefits of looking after these issues to the C-Suite, and prioritise what is required in order to keep the organisation running smoothly.

If you are looking to get a better understanding of where your organisation’s cyber weaknesses lie, BlueFort’s Evolve IT Services can not only help you to get a much better understanding of these threats, but also provide you with the solutions to protect your organisation in the long term.

Call 01252 917000, email enquiries@bluefort.com or get in touch with us via our contact form.

Get in touch with BlueFort